How do I configure SonarQube to ensure that all my project settings and changes are reflected in the same Git repository where my code also lives, so I can use our existing processes for review and tracking of changes to the configuration, and so I can run SonarLint with the same configuration locally before pushing to CI? In other words how do I block changes to the selected quality profile, changes to the included rules and their severity within a quality profile, changes to the resolution or state of an issue, so that these things cannot be done from the SonarQube UI? Or alternatively, how to I make SonarQube automatically create a pull request if someone attempt these changes in the UI, and ensure that the changes are not effective until the pull request has been approved and merged? Basically how do I ensure that the only thing allowed in the SonarQube database is managing project names and project keys?
Welcome to the community!
I know this seems like one question to you, but on my side it’s several. Or at least, it breaks down into several answers.
You can’t. Project configuration (and global configuration) is stored in the DB. Some things can be set - for an analysis - via analysis properties, and those can indeed be stored as part of your analysis configuration with your code. But there are other settings that can only be set via the UI.
Run SonarLint in Connected Mode with your server, and the correct settings and Quality Profiles will be automatically synced-in.
There are granular permissions for Issues Administration and Quality Profile admin. Your only option is to not grant them.
Note that global admins intrinsically have edit on all Quality Profiles, so you won’t be able to block them, but there are audit trails.
Yeah… it’s just not built that way.
I think I know the answer, but would you mind explaining why you want to do this? Is the answer purely “so I can use our existing processes for review and tracking of changes to the configuration”? Because on the face of it, what you’re asking for strikes me as rather low-trust, when we’ve always defaulted to trusting developers to a) want to write good code b) want to do the right/responsible thing & have introduced controls to the contrary (such as the granular permission to Administer Issues in a project) reluctantly and with much foot-dragging.
Many thanks for your answers. I have a few followup questions.
Do you know of any competing product that supports this? We need a product that can automatically scan our code for known vulnerabilities for compliance. We have now tried SonarQube, but we would consider switching to a better alternative if we find some.
It looks to me that Connected Mode requires some kind of live connection to the server. For security reasons, the network where our SonarQube server runs is not accessible from the devices where we are allowed to install developer tools and IDEs. How can we use SonarLint most effectively with these limitations?
One reason is to have a shared process for everything, including code changes, configuation changes, infrastructure changes etc. It makes things simpler. Infrastructure-as-Code is popular these days. Another reason is to be able to run the analysis locally within our IDE with the same configuration as on the server, so we don’t get a ton of errors reported only after we have pushed the change to CI. Another reason is to ensure we have the appropriate backup of configuration, in case the server where the SonarQube database runs is lost.
I don’t. But even if I did, do you think I would tell you?
You don’t happen to work under a mountain, do you?
More seriously, I understand dev machines not having access to production, but I wouldn’t consider SonarQube “production” per se. IMO it’s in the same class of dev tools as your CMS. Maybe you could get it moved on the network?
Thanks for explaining. Our Product Managers have been keeping an eye on the topic, but I’m not aware of any concrete plans right now.
Ehm… Surely you back up your DB on a regular basis?